Internet Computer Virus Protection Policy

Internet computer virus protection policy

H. Joseph Wen School of Management, New Jersey Institute of Technology, Newark, USA

Organizations and individuals two functions. First, it copies itself into previ- today need to have a compre- Introduction ously uninfected programs or files. Second, hensive virus protection Computer viruses have evolved since first (perhaps after a specific number of execu- policy to face the growing being created and the creators of these virus tions, or on a specific date) it executes what- threats of Internet computer programs have also become cleverer. Their ever other instructions the virus author viruses. The purpose of this newer creations are more complex and diffi- included in it. Depending on the motives of paper is to introduce to the cult to detect and remove. They have also the virus author, these instructions can do reader the threats that Inter- broadened their arena of inflicting disaster to anything at all, including displaying a mes- net computer viruses can encompass the Internet (Nachenberg, 1997; sage, erasing files or altering stored data. In cause and provide guidelines Whalley, 1996). some cases, a virus may contain no harmful on how organizations or As companies increasingly embrace Inter- or disruptive instructions at all. Instead, it individuals can protect them- net technology as a way to conduct global may cause damage by replicating itself and selves against these viruses. electronic commerce, the possibility of taking up system resources, such as disk Discusses the full set of virus acquiring a computer virus is greater. Com- space, CPU time, or network connections. types. Recommends the puter viruses have become an ongoing world- There are two ways for a virus to spread: development of virus protec- wide problem and can travel quickly through booting from an infected diskette or execut- tion policy for organizations. the Internet, causing even more destruction. ing an infected program. Most viruses stay On November 2, 1988, the Internet virus, active in memory until you turn off your coded in C programming language, invaded computer. When you turn off the computer ARPANET. Within minutes the Internet net- you remove the virus from memory, but not work was devastated and many computer from the file or disk it has infected. The next centers had to shut down. These included time you use your computer, the virus pro- NASA’s Ames Laboratory, Lawrence Liver- gram is activated again and attaches itself to more Laboratory, MIT and the Rand Corpora- more programs. A computer virus is like a tion. biological virus: it lives to replicate. Organizations and individuals today need All computer viruses in existence live in to have a comprehensive virus protection some location on the computer. We are aware policy to face the growing threat of these old of all the areas where computer viruses live and new viruses on Internet. The purpose of and breed. They are located in the hard boot this paper is to introduce to the reader the sector of a disk that may include the hard threats that Internet computer viruses can drive, floppy disk or CD. They can also be cause and provide guidelines on how organi- found in program files. There are five major zations or individuals can protect themselves types of viruses (Jarvis, 1997; Nachenberg, against these viruses. 1997). 1 Boot sector viruses. 2 Program viruses. What is a computer virus? 3 Stealth viruses. 4 Polymorphic viruses. A computer virus is one kind of threat to the 5 Multipartite viruses. security and integrity of computer systems. Like other threats, a computer virus can A boot sector virus modifies the boot sector cause the loss or alteration of programs or and it appears to be the most common virus. data, and can compromise their confidential- Every disk has a boot sector that controls ity. Unlike many other threats, a computer how a computer operates when starting. A virus can spread from program to program, boot sector virus loads into memory from the document to document and from computer diskette on starting and may infect other system to computer system, without direct applications, other disks or just create poor human intervention. performance. The infection begins when the Information Management & Computer Security The essential component of a virus is a set computer is turned on and there is a floppy 6/2 [1998] 66–71 of instructions that, when executed, spreads diskette in your drive. © MCB University Press itself to other, previously unaffected, programs The second category of viruses is program [ISSN 0968-5227] or files. A typical computer virus performs infectors. These viruses live in program files. [ 66 ] H. Joseph Wen This type of virus loads into memory when The most destructive macro virus, by far, is Internet computer virus the system executes the file. Once in memory, the concept virus. Within months of its dis- protection policy the virus can infect any and all programs covery in the fall of 1995, the concept virus Information Management & subsequently executed. Then those files can accounted for more than three times the num- Computer Security infect other program files. ber of virus encounters reported for the pre- 6/2 [1998] 66–71 As the name implies, stealth viruses have vious leader, the “Form virus.” Today, the the characteristic of hiding. A virus with concept virus has infected almost one-half of stealth attributes tends to be found in a boot all medium to large corporations according to sector or a program file. The majority of a survey conducted by NCSA. known stealth viruses are of the boot sector While most of the known macro viruses type because this type is much easier to blend (which number over 500) are not destructive, into programs. Stealth viruses cover their many causes a considerable loss of productiv- trails by two techniques. The first is to redi- ity and staff time. The concept virus restricts rect disk reads to other locations and the file saving operations, and other macro second technique is making a change in boot viruses have been known to manipulate infor- tables. The virus usually changes file sizes to mation, control data storage, and even refor- escape detection. mat hard drives. This potential destructive- Polymorphic viruses are viruses that ness has corporate system administrators appear different in each infected file, making trying to find the best way to combat these detection more difficult. They change their new virus threats. characteristics during their replication Unfortunately, with the ease in which these process. These viruses are the most difficult viruses can be developed, coupled with the for anti-virus software packages to detect. vast number of word processing and spreadsheet documents exchanged throughout the There are several early signs that a com- world every day via the Internet, it is difficult puter may be infected with any one of these to detect using anti-virus software. Essen- virus types. Computer viruses are known to tially, macro viruses are spreading and display unfamiliar graphics or messages on mutating so fast that anti-virus software your computer screen. Viruses are known to designed to detect and remove them is obso- reformat hard disks without prompting the lete soon after it is shipped to users. user, they change the disk volume label and create unknown files or sub-directories. Per- formance of computers including speed and Internet computer viruses memory size is affected and programs or files may get deleted. The new wave of computer virus threats will not travel via floppy disks or network files but via the Internet. The threat of Internet The new threat: macro viruses viruses is more deadly than any previous computer virus threat seen. These viruses The most successful computer virus that has will not only display messages or delete files caused havoc in corporations and has been but their capabilities are far deadlier. responsible for “down time” is the macro One example of what viruses over the Inter- virus and its mutation forms. net are capable of doing is being able to seek If a user sends or receives documents or out an Internet user’s personal bank account spreadsheets, chances are his/her computer information, without a personal identifica- has been or will be infected at one time or tion or transaction number. This may sound another by a macro virus. Relatively new on like science fiction, but to the computer virus the computing scene, these computer viruses developer in Germany who created the virus are spreading faster than most anti-virus it is not (Chen, 1997; New York Times, 1993). software makers can find ways to detect and The threat of this Internet virus is that it remove them. Macro viruses are now the loads automatically as the user browses the most prevalent computer viruses in the World Wide Web. The virus is carried by a world. This is largely due to the new way in control development using Microsoft’s Active which they spread. They attach themselves to X, which is in growing use on Web pages word processor and spreadsheet documents, throughout the world. This is only the begin- which often are transmitted as e-mail attach- ning of the power that Active X can display ments via the Internet and throughout the over the Web. For example an Active X con- world. Macro viruses represent 80 percent of trol called “Exploder” can shut down all infections (Coursey, 1997). Moreover, the Microsoft Windows 95 and shut down your instances of macro virus infections doubled computer if it has an energy conservation about every four months in 1996. This makes BIOS. This illustrates the power that these these viruses the fastest to spread. “new” viruses can have over the Internet. [ 67 ] H. Joseph Wen Any type of computer is at risk. Even if you applets. Disabling them will only frustrate Internet computer virus have a firewall between the Internet and your the users and disabling them will eliminate protection policy computer, you can be at risk. some applications of value to users. Information Management & This threat is not only limited to Active X There are third party software packages, Computer Security controls. Similar capabilities are now being such as Web Virus Wall, WebProtect, Inter- 6/2 [1998] 66–71 attributed to Java, a competing programming Scan and Microsoft’s Authenticode that will language developed by Sun Microsystems. be able to help in the fight against these Active X and Java were not created to trans- viruses. These packages are capable of on-off mit viruses but were created for Web page blocking options of controls or applets that designers to incorporate a wide array of may be tampered with. They are also capable impressive effects on Web pages. They add of executing the Active X controls and Java movement and dimension to previously ‘flat’ applets in an isolated environment, such as a Web pages. Java and Active X are responsible, clean room, between the user’s computer and for example, for the ability for stock prices to the LAN. scroll across Web pages and for animation of At this time, viruses over the Internet by web pages. use of Active X and Java applets are isolated. The dangers and advantages that viruses However the concern is growing as security have are that to operate properly Active X experts and users begin to see a pattern of controls and Java applets need to gain access virus growth that is familiar to the PC to your hard disk. Insufficient memory and viruses. Internet traffic necessitate this approach. The virus code developers are using this feature of Active X and Java to read, delete or Internet virus protection policy corrupt files, access RAM and access files on The increase in virus incidence despite rising computers attached via a LAN. anti-virus software usage can lead to but one In the example of the Internet virus from conclusion: “It is obvious using existing anti- Germany stated previously, the Active X con- virus products alone isn’t working” (White et trol searches the user’s hard disk for installa- al., 1996). tion of Quicken, a popular personal software In many cases, the fault lies not in the tech- that is used by over nine million people nology but on the users themselves. If an worldwide. Once the virus locates the organization has failed to establish policies Quicken files, the Active X control orders a for determining how to protect the data from transfer of funds that is added to the soft- viruses, no product is likely to provide secu- ware’s list of queued transfers. This is com- rity. Even anti-virus software vendors agree: pleted unknown to the user when he pays the their products should be used to implement bills. and enforce existing policy, not to compensate Computer viruses were thought to be mali- for the lack of it (Wood, 1997). cious code that spreads by duplicating itself Certainly, products such as anti-virus soft- via attachments to executable files. The first ware are needed to detect and remove com- threat of viruses over the Internet came from puter viruses. Products alone are not enough FTP downloads and reading attachments to solve the problem. A combination of prod- from e-mail. With the new threat, viruses in ucts, people who understand the need for Active X controls and Java applets can spread virus protection, and an appropriate proce- with even no action by the user. Simply surf- dure for detection could form an effective ing the World Wide Web can be dangerous. anti-virus policy (NCSA, 1997; Wack, 1989). Of the two carriers of viruses, Active X is Figure 1 shows the key issues that MIS profes- perceived to be the greater threat because of sionals must consider when formulating an its design. Active X has direct access to native anti-virus policy. These issues can be orga- Microsoft Windows commands. However nized into the “three P’s” people, products, since Java applets can be attached to e-mail, a and procedures (Cohen, 1994; Demey, 1996; browser will automatically activate the Fites, 1989; Slade, 1994; Soloman, 1991). applet, enabling Java applet viruses to increase in speed. People Solutions to the security threat of Active X The key players in an anti-virus policy are and Java applets are found on both the client the users and managers inside the company. side and server side. The most obvious client Two primary steps have to be taken to formu- side solution is to simply disable Java and late an anti-virus policy. Active X altogether on user workstations. This solution is less than optimal and accept- Understanding the corporate culture able for a few reasons. First, users are accus- Corporations have two philosophies on virus tomed to the multi-dimension control protection. There are those corporations that afforder by Active X controls and Java mandate users to inform on all virus detection. [ 68 ] H. Joseph Wen Figure 1 explicitly runs the software to perform a Internet computer virus Effective Internet computer virus protection virus check on a hard disk or floppy disk. The protection policy policy best desktop products use a combination of Information Management & detection methods, such as monitoring the Computer Security People system for virus behavior (e.g. formatting the 6/2 [1998] 66–71 hard disk), comparing files against a database Products of known virus code, and checking for unex- Procedure plained changes in file sizes. However, client-based anti-virus detection methods suffer from a key shortcoming. The Secure Information client-based periodic approach only detects viruses when the anti-virus software is used by the client. All other files that are downloaded or otherwise transferred into the desktop computer are not checked, each of which Internet Organizations Intranet, may contain a virus. Computer Extranet Computer Virus Threats Virus Threats The server-based solution A comprehensive virus protection for an They are required to inform what type of entire network depends on scores, if not hun- virus was found and by what avenue it was dreds, of users employing their desktop pro- received. The purpose of this is to stop the tection correctly at all times. Recognizing spread of viruses as soon as possible. Other this obvious flaw, anti-virus vendors devel- corporations have a less stringent policy oped server-based virus protection five years against virus protection. They may only ago. Server-based virus software resides on install anti-virus software on users’ comput- the network server. Operating under IPX ers that request it and run virus scans when protocol and NetWare, or in the Windows NT computer viruses have spread throughout the environment, this software protects internal organization. LANs from viruses attached to files that pass User education through the network server. Users in the two cases mentioned above need Server-based virus protection software is proper education. In the first case, users typically more effective than corresponding should be aware of the dangers that exist. client-based software. In centralized manage- They should know what to do if they suspect a ment of virus protection, scanning is usually security problem. In particular, they should more frequent, as is the updating of virus know whom to call and what to do if they have pattern databases that is essential for detect- questions or suspicions of having a computer ing new viruses. virus. Users should be encouraged to feel that However, file server anti-virus software suffers from two weaknesses. First, the security measures are things that they want strong anti-virus capability at the network to do for their own benefit, rather than things server rather than the client means that the that are required for no rational reason. client is vulnerable to any virus attached to a Another point making user education file that bypasses the network server. Such is important is that, if users are aware of the the case on the Internet, since downloaded kinds of visible things that are known to files and e-mail bypass the network server. happen in systems that are virus-infected, Second, file server anti-virus software cannot these users can serve as an important line of scan e-mail attachments while they are still defense. Users should know that odd behavior attached, enabling viruses on these files to in a computer system may be a symptom of a spread unchecked. penetration of a virus. It is important to educate the end users, the The “protect all entryways” solution first-level support people, and management Both desktop-based and server-based solution involved at all levels, since they must take the alone at best provides limited virus protec- necessary actions quickly when a viral infection for some, but not all network users. Inter- tion is detected. net-borne viruses are not intercepted by server-based anti-virus software because the Anti-virus products connection to the Internet (i.e. the Internet gateway) typically bypasses the network The desktop-based solution server. This allows viruses to flow into the Client-based (user-based) anti-virus software, internal LAN unchecked. Connection to the installed on the client’s computer, runs when Internet gateway bypasses the network the user boots up the system or when the user server because the two use incompatible [ 69 ] H. Joseph Wen protocols and different machines. While net- install and set up software to take advantage Internet computer virus work servers typically operate under Net- of automatic configuration and deployment, protection policy Ware using the IPX protocol, 80 percent of all how to customize the level of protection Information Management & Internet gateways operate under UNIX using appropriately for different types of user, and, Computer Security the Transmission Control Protocol/Internet most importantly, how to ensure that regular 6/2 [1998] 66–71 Protocol (TCP/IP). updates are obtained and deployed to all the The most effective way to ensure that the workstations. internal network remains virus-free is to Establish a virus response team monitor all entryways for viruses. As shown Similar to an emergency response team or in Figure 2, using a combination of products other cross-disciplinary group in an organi- that cover every access point – Internet gate- zation, a virus response team can be assem- ways, GroupWare servers, Internet servers, bled from many different departments. They LAN servers, and desktops are the most effec- can be trained and empowered to deal calmly, tive way to protect the network from both the effectively and professionally with any virus first and the second generation viruses. incident. One advantage of such a team is that For an anti-virus product to be useful, it when an incident does occur, specific people must reliably intercept viruses without are already selected to immediately tackle impairing system performance and reliabil- cleanup. Of equal importance, providing team ity or user productivity. Configuration and members with a specific identity and status usage flexibility, management capabilities, sends a message to all employees that virus and customer support are also key considera- protection is important and that it involves tions when evaluating virus protection. more than the guys in MIS. • Upgrade anti-virus product/service. All Putting it together with procedures entryways should be protected with best While the approach taken to developing an anti-virus product/service as described anti-virus policy is likely to vary from com- before. pany to company, some issues must be • Begin an employee awareness campaign. addressed in all cases. User education and awareness of the virus Develop anti-virus procedure manual threat are a major success factor in the protection policy. Procedures are specific operational steps that • Periodically review, revise, and reinforce workers must take to achieve goals – compre- importance of policy. hensive virus protection. Procedures are needed for making best use of selected prod- An annual review is usually sufficient and uct and service solutions, such as how to serves to reinforce an important issue that

Figure 2 The all the entryways solution = Internet ﬁrewall + server based antivirus + desktop based antivirus

Internet

Remote Users Remote Servers

FIREWALL FIREWALL FIREWALL

Server-based Server-based Anti-virus Anti-virus

Database Server File Server Application Server

Ethernet

Desktop-based Anti-virus

Workstation Workstation Workstation Workstation [ 70 ] H. Joseph Wen may not have been discussed for some time. successful in their computer virus fight, they Internet computer virus The developed policy must integrate anti- should understand the corporate culture, protection policy virus products/services, people, and proce- develop an anti-virus procedure manual and Information Management & dures in a manner consistent with the corpo- begin an employee awareness campaign in Computer Security rate culture, mission and goals. The resulting the organization. On the IT side they need to 6/2 [1998] 66–71 policy must be clear, concise, and consistent establish a virus response team, upgrade with other corporate policies. anti-virus products on the workstations and servers. Once these suggestions are imple- mented, they need to be reviewed, revised, Conclusion and reinforced regularly. Using these suggestions an organization or individual can best Computer viruses have dramatically protect themselves against computer viruses. increased in complexity over the years. The first viruses were static programs that copied References themselves from program to program or Chen, E. (1997), “Active X and Java: the next virus diskette to diskette. The viruses that exist carriers?”, Computer Technology Review, pp. today are much more complex. They not only 38-41. spread the previous ways, but now also Cohen, F. (1994), Short Course in Computer spread via e-mail and the Internet. Also a Viruses, Wiley. second breed of viruses has been developed – Coursey, D. (1997), “Macro world beyond viruses”, Internet viruses. Their threats to cause Computer World, June 2. destruction are more deadly than viruses that Demey, P. (1996), “Protect your electronic data traveled only on LANs. They are the new before its too late”, Practical Accountant, virus threat that the computer industry December, pp. 32-35. needs to direct its fight against and that com- Fites, P. (1989), Computer Virus Crises, Van Nostra- puter users need to be aware of. nol. The threat of computer viruses on LANs Jarvis, K. (1997), “Demystifying computer and PCs is still great. New viruses are being viruses”, Management Accounting, April, pp. created readily. The PC virus that is most 24-31. infecting computers today is the Macro virus. Nachenberg, C. (1997), “Computer virus – coevolu- Macro viruses are a new wave of viruses that tion”, Communications of the ACM, January, started to appear in 1995 and they are now the pp. 46-51. most prevalent computer viruses in the New York Times (1993), “The virus: threat or world. Macro viruses attach themselves to menace?”, New York Times, 15 June. ® word processor documents and spread sheets. NSCA (1997), “NCSA 1997 computer virus preva- They spread fast due to the growing use of e- lence survey”, NCSA, available at http:// mail attachments. www.antivirus.com/forms/ncsarep.html Viruses can pose a threat to the security of Slade, R. (1994), Guide to Computer Viruses, Springer-Vaelag. programs and data on computing systems. Soloman A. (1991), PC Viruses: Detection, Analyses They can spread without the intent of the and Cure, Springer-Valag. people who spread them. Today viruses are Wack J. (1989), Computer Viruses and Related spreading new ways. They are spreading over Threats: A Management Guide, Department of the Internet via e-mail, FTP and now by Commerce. Active X and Java applets. This means that Whalley, I. (1996), “Virus defense for the future”, just browsing the Internet makes the com- Security Management, November, pp. 60-4. puter vulnerable to viral infection. White S.R., Kuo, C.J. and Chess, D.M. (1996), Cop- The use of anti-virus software to protect ing with Computer Viruses and Related Prob- against viruses alone is not enough. An effec- lems, IBM Los Angeles Scientific Center and tive virus protection policy should combine IBM Thomas J. Watson Research Center. the “three P’s”; people, products, and proce- Wood C.C. (1997), “Policies from the ground up”, dures. In order for policy developers to be Infosecurity News, March/April, pp. 24-8.

[ 71 ]